[clamav-users] [Clamav-devel] ClamAV® blog: ClamAV 0.101.1 Patch has been released

[Alan Stern]

On Wed, 9 Jan 2019, Micah Snyder (micasnyd) wrote:

> Hi Alan,
> 
> It sounds like your system defaults to having the -Wall and -Wextra
> compiler flags enabled.  We do indeed still have a lot of work to
> clean up warnings when building with -Wall and -Wextra, I certainly
> want to clean up all the warnings long term, but the other remaining
> ones are, to my knowledge, not as worrisome.

That makes sense.

> I wasn't actually able to reproduce the warning that Gary reported
> (with clang or gcc on Mac or Ubuntu 18), but a quick look at the code
> showed that the issue was real.

I got the same warning as Gary, as well.

> The "Variable may be used uninitialized" type warnings are more
> serious-sounding ones but if I recall correctly, they occur in the
> tomsfastmath 3rd party library code.  It's on my to-do list to see if
> there's an update for that code as our copy hasn't been updated in a
> while.

I'm not sure which source files belong to that third party library.  
The two non-bogus warnings I got were:

libclamunrar/arcread.cpp:32:3: warning: 'ReadSize' may be used uninitialized in this function
libclamunrar/rijndael.cpp:101:21: warning: 'uKeyLenInBytes' may be used uninitialized in this function

These seem to assume that an input variable takes on an allowed value;  
I don't know if that assumption can always be guaranteed.

> The warnings in our own code regarding integers of different
> signedness are probably most concerning.  I very much want to take a
> stab at cleaning those up as soon as I find time, but it will require
> much care and heavy regression testing as it can be very easy to
> break things when changing variable types.

Indeed.  On-the-spot typecasting is less invasive but more awkward.

Alan Stern